Re: [mailop] Is DNS-over-HTTPS bad? Sure.
On Tue, 7 Jul 2020, Noel Butler via mailop wrote: On 07/07/2020 01:01, Johann Klasek via mailop wrote: I have been told that DoH is set into place to solve the privacy problem. On a small DNS workgroup meeting I saw a presentation on how they statistically identify users by their DNS traffic, and could create a profile with interests and affectations these users have. I think DNS is not that anonymous one would expect. Don't you think there is more chance of a perfect picture of you being built from, ohh i dunno, long standing things like, netflow :) On the whole yes. With shared hosting and content delivery networks ISPs have access to less of the relevant netflowdata - which means Cloudflare wins again ? -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure.
Executive summary: DoH is intended to reset the balance of control and data collection from ISPs, system and network administrators towards (browser) users. On Mon, 6 Jul 2020, Michael Peddemors via mailop wrote: One thing not mentioned so far in this thread, is data collection.. While many D'oh providers claim NOT to log or track, simply by using HTTPS opens up the door to exposing personal browsing habits.. No. They were already exposed. DoH allows whoever configures it (see below) to choose who gets to see the personal browsing habits. It is very easy to simply 'extend' any HTTPS request, to include other information in the request that can be used to uniquely identify the user. Only a matter of time.. Good point, that I hadn't heard before. DNS was just that, DNS.. and effectively anonymous. Technically anonymous, in that there is no official mapping from machine to user. In many environments the DNS provider had some access to that mapping, though DoH does expose the user as well as the machine. My tinfoil hat spidey sense tells me that this is a move towards both big brother, as well as data collection.. As I understand it, Mozilla (Firefox) is championing DoH because it wants *users* to be able to control who collects that data, not sysadmins, network admins or ISPs. On a related point, AM Vittorio Bertola said: making sure that the four browser makers that control >90% of the world's browsers get to choose who is allowed to provide DNS resolution to their users (including doing it themselves or requiring DNS providers to strike business deals with them before allowing them into their list). As I understand it, the browser user controls the DNS provider. Mozilla, at least, is striking deals to ensure that providers who share Mozilla's philosophy are available. Historically, 'choosing' to set your DNS provider at the OS was an end user choice, but with D'oh, it opens the door to the application layer to bypass firewall rules as well. ?? Historically the DNS provider was set by the machine's admin, not by the user. On any multi-user system that difference mattered. -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure.
On 07/07/2020 01:49, John Levine via mailop wrote: > In article <20200706150152.ga9...@tron.kom.tuwien.ac.at>, > >> I have been told that DoH is set into place to solve the privacy >> problem. On a small DNS workgroup meeting I saw a presentation on how >> they statistically identify users by their DNS traffic, and could create >> a profile with interests and affectations these users have. I think DNS >> is not that anonymous one would expect. > > It's not anonymous at all. The question is who's going to collect the data. > > I would not put Cloudflare at the top of that list. Many would. The original announcement on this said they WERE logging requests, for 30 days, then the data would be destroyed, magically, that announcement no longer existed a few weeks later, perhaps it was meant for internal. I dunno, even if Matthew Prince came here and said they were not logging, I still would be VERY skeptical and not take him at face value. I don't trust organisations that want to try centralise the Internet. But don't worry, I don't trust google facebook IBM or Cisco either. -- Kind Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate any part of this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Google: 'Low reputation of the sending domain'
Hi, There are no breaches or spam or anything sent from that server. I would know as I am part of the AS6772 Abuse Desk. :-) Just the dozed or so emails per day sent by my family members and myself. Even emails to my own Gmail Account where my sending email address for sure is a know past sender, are being blocked. we had a similar issue after moving mail.ffnw.de to a new server / IP, though the mails are DKIM signed and SPF passes: : host aspmx.l.google.com[2a00:1450:400c:c0c::1b] said: 550-5.7.1 [2a03:4000:47:88::1] Our system has detected that this message 550-5.7.1 is likely suspicious due to the very low reputation of the sending IP 550-5.7.1 address. To best protect our users from spam, the message has been 550-5.7.1 blocked. Please visit 550 5.7.1 https://support.google.com/mail/answer/188131 for more information. h13si190255wmb.87 - gsmtp (in reply to end of DATA command) I remember a discussion here that reputation is somehow bound to a domain with DKIM, SPF, etc, but this seems to be irrelevant in this case, or do I miss something? Best Regards Bjoern ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
On 2020-07-06 06:39, Jaroslaw Rafa via mailop wrote: Dnia 5.07.2020 o godz. 14:13:03 Chris via mailop pisze: Not to mention DNS over HTTPS breaks or renders ineffective most types of content filtering. That's a secondary concern perhaps. I'm betting 99% of users don't have content filtering and don't want it. Corporates need it. Not all users are retail. But is content filtering - especially in corporations - really based on DNS? Yes, really. In a previous life I worked for Nortel in network security. You may have heard of it. We used it internally and were spinning up products (I was involved in functional specification writing) around it over a decade ago. Proofpoint and Microsoft, for example, have major anti-malware products based around it, and you'd be surprised at "big 5" level entities who are using them internally. Then of course there's RPZ. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure.
On Mon, Jul 06, 2020 at 07:10:11AM -0700, Michael Peddemors via mailop wrote: > One thing not mentioned so far in this thread, is data collection.. > > While many D'oh providers claim NOT to log or track, simply by using > HTTPS opens up the door to exposing personal browsing habits.. > > It is very easy to simply 'extend' any HTTPS request, to include other > information in the request that can be used to uniquely identify the > user. > > Only a matter of time.. > > DNS was just that, DNS.. and effectively anonymous. I have been told that DoH is set into place to solve the privacy problem. On a small DNS workgroup meeting I saw a presentation on how they statistically identify users by their DNS traffic, and could create a profile with interests and affectations these users have. I think DNS is not that anonymous one would expect. DoH seems just an easy to grab solution, but may leading just out from the frying pan into the fire ... ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure.
One thing not mentioned so far in this thread, is data collection.. While many D'oh providers claim NOT to log or track, simply by using HTTPS opens up the door to exposing personal browsing habits.. It is very easy to simply 'extend' any HTTPS request, to include other information in the request that can be used to uniquely identify the user. Only a matter of time.. DNS was just that, DNS.. and effectively anonymous. My tinfoil hat spidey sense tells me that this is a move towards both big brother, as well as data collection.. Historically, 'choosing' to set your DNS provider at the OS was an end user choice, but with D'oh, it opens the door to the application layer to bypass firewall rules as well. Not to mention, DNS queries are faster/lighter than DoH, and the caching is usually closer to the end user, for more efficient look-ups. And as someone else pointed out in this thread, this was solving a problem that didn't exist for the vast majority of the internet, or that could be solved in other ways. Kind of a big mallet for a small nail.. IMHO On 2020-07-06 6:42 a.m., Joel M Snyder via mailop wrote: On 7/6/20 4:00 AM, Jaroslaw Rafa wrote: But is content filtering - especially in corporations - really based on DNS? Yes. There's a big company, Cisco (you may have heard of them) which bought OpenDNS and which is aggressively pushing their DNS-based filtering service (called Umbrella) as part of a 360-degree security portfolio. People are buying it left and right. And for people who like the idea but who don't like Cisco (or don't want to pay for it), Quad9 is ready to offer the same service. RFC purists can argue all they want about how DNS filtering is bad, erodes trust, breaks DNSSEC, etc, but no one cares. So, yeah, content filtering is based on whatever we can get our hands on because we are being overwhelmed by the bad guys. No matter what technical or political or philosophical barriers people are putting in place, IT managers in enterprises are stressed to the max and will accept these types of solutions to help reduce their security risk. jms -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy, Holidays Everyone!)
On 7/6/20 4:00 AM, Jaroslaw Rafa wrote: > But is content filtering - especially in corporations - really based on DNS? Yes. There's a big company, Cisco (you may have heard of them) which bought OpenDNS and which is aggressively pushing their DNS-based filtering service (called Umbrella) as part of a 360-degree security portfolio. People are buying it left and right. And for people who like the idea but who don't like Cisco (or don't want to pay for it), Quad9 is ready to offer the same service. RFC purists can argue all they want about how DNS filtering is bad, erodes trust, breaks DNSSEC, etc, but no one cares. So, yeah, content filtering is based on whatever we can get our hands on because we are being overwhelmed by the bad guys. No matter what technical or political or philosophical barriers people are putting in place, IT managers in enterprises are stressed to the max and will accept these types of solutions to help reduce their security risk. jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 j...@opus1.comhttp://www.opus1.com/jms ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
On Mon, Jul 6, 2020 at 3:48 AM Vittorio Bertola via mailop <
mailop@mailop.org> wrote:
>
> The bad idea is taking an extremely marginal use case ("there is a
> dissident in a third world country whose government is blocking access to
> Wikipedia via DNS and we want to circumvent that block") and using it as an
> excuse to break by default almost any DNS-based monitoring, debugging,
> security and access control mechanism for any local network anywhere, also
> making sure that the four browser makers that control >90% of the world's
> browsers get to choose who is allowed to provide DNS resolution to their
> users (including doing it themselves or requiring DNS providers to strike
> business deals with them before allowing them into their list).
>
If said fascist regime has decided to muddle their DNS infrastructure by
serving bogus authoritative responses for some set of domains they don't
like, why would anyone think they wouldn't just set up "
use-application-dns.net" to force end-users to continue to use their DNS
servers which implement that blocking, too? I don't see how this case makes
any sense whatsoever. Dissidents in fascist regions need to be using
something like Tor, there's no logical argument here that pushing DoH as a
default setting will help them in any meaningful way. Indeed, if they are
found to be accessing the IP addresses associated with sites the regime
does not like despite the DNS blocks, they may even end up getting into
serious trouble, since DoH does nothing whatsoever to obscure or proxy the
traffic being sent to those addresses, and there's no reason the regime
could not monitor TCP connections at their international edge as well and
keep a running list of those addresses.
If that's the argument for DoH being a default setting, then it's not only
a bad argument, it's a patently dangerous one. If they are advertising this
to people living under oppressive governance as a means by which to
circumvent local policies regarding prohibited internet content, then
that's downright irresponsible.
Matt Harris|Infrastructure Lead Engineer
816-256-5446|Direct
Looking for something?
Helpdesk Portal|Email Support|Billing Portal
We build and deliver end-to-end IT solutions.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
Hello Jaroslaw, On 06.07.20 12:39, Jaroslaw Rafa via mailop wrote: > But is content filtering - especially in corporations - really based on DNS? yes. That's why systems like https://pi-hole.net/ exist, even for home users. In Germany ISPs were even forced by lawmakers to block specific DNS hostnames from resolving some years ago, because they thought it was an option to block access to unlawful websites. Regards, Thomas Walter -- Thomas Walter Datenverarbeitungszentrale FH Münster - University of Applied Sciences - Corrensstr. 25, Raum B 112 48149 Münster Tel: +49 251 83 64 908 Fax: +49 251 83 64 910 www.fh-muenster.de/dvz/ smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
Dnia 5.07.2020 o godz. 14:13:03 Chris via mailop pisze: > >>Not to mention DNS over HTTPS breaks or renders ineffective most > >>types of content filtering. > > >That's a secondary concern perhaps. I'm betting 99% of users don't > >have content filtering and don't want it. > > Corporates need it. Not all users are retail. But is content filtering - especially in corporations - really based on DNS? In my previous job, I worked a bit with UTMs and other content filtering devices. None of them was based on DNS. They used URIBLs, signatures similarly to antivirus applications, and some bayesian or other heuristics to block content. Yes, there was that primitive and old method of content filtering, by putting domain names of unwanted hosts into /etc/hosts file (or equivalent in Windows) pointing eg. to 127.0.0.1. It was quite popular some years ago, but I thought nobody is using this anymore now... -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
> Il 06/07/2020 09:41 Andrew C Aitchison via mailop ha
> scritto:
>
> I have mixed feelings about Mozilla defaulting the world (or the USA) to DoH
> (technically I don't like it, but I sympathize with the philosophical
> idea) but that doesn't explain why DoH itself is a bad idea.
DoH is not a bad idea in itself (though, well, it is not a very significant
progress for the people that use a resolver from their local network or ISP,
which are the broad majority, as attacks on DNS traffic on the local loop are
not common at all).
The bad idea is taking an extremely marginal use case ("there is a dissident in
a third world country whose government is blocking access to Wikipedia via DNS
and we want to circumvent that block") and using it as an excuse to break by
default almost any DNS-based monitoring, debugging, security and access control
mechanism for any local network anywhere, also making sure that the four
browser makers that control >90% of the world's browsers get to choose who is
allowed to provide DNS resolution to their users (including doing it themselves
or requiring DNS providers to strike business deals with them before allowing
them into their list).
--
Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bert...@open-xchange.com
Office @ Via Treviso 12, 10144 Torino, Italy
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
On Sun, 5 Jul 2020, Chris Lewis via mailop wrote: On 2020-07-05 15:19, Jay R. Ashworth via mailop wrote: An argument I could tolerate -- corporate IT types can be expected to diagnose smartly enough to deal with it... though it will still make things more difficult for them. Impossible for them, short of blocking HTTPS for everything. I was going to suggest that the canary domain "use-application-dns.net" https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet means that corporate IT can disable DoH without blocking all HTTPS, but I see that "this only applies to users who have DoH enabled as the default option. It does not apply for users who have made the choice to turn on DoH by themselves." Jay R. Ashworth also wrote: Everything on a machine should use the same OS provided facility for looking up DNS. I see no reason why the OS couldn't use DoH. Ubuntu dynamically rewrites resolv.conf every time I re-plug my ethernet cable so adding DoH to the mix isn't going to add much complexity. https://github.com/fanf2/doh101 includes a simple script to make requests over DoH, so you aren't limited to browsers. Additionally, nearly as I can tell, the aptly named D'oH is solving a problem that *users* don't have. But that's a separate issue. My impression is that the ordinary user either doesn't have, or doesn't think that they have, problems that DoH addresses, but that there is a small group of users who have reason to distrust the default DNS provider and should be allowed to choose their own. I use DoH with Firefox for android as it is the easiest way to override my ISP's net nanny DNS (which I want for my small son). I have mixed feelings about Mozilla defaulting the world (or the USA) to DoH (technically I don't like it, but I sympathize with the philosophical idea) but that doesn't explain why DoH itself is a bad idea. -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
